FTC should investigate Microsoft after Ascension ransomware attack, senator says

A U.S. senator is blaming faulty Microsoft technology for a ransomware attack on Catholic healthcare giant Ascension Health last year. 

Democratic Sen. Ron Wyen asked the Federal Trade Commission (FTC) to investigate Microsoft’s responsibility for the incident, accusing the tech giant of “gross cybersecurity negligence” that has led to several ransomware attacks on critical infrastructure in the U.S. 

In a letter to the FTC, Wyden said his office conducted an investigation into the 2024 ransomware attack on Ascension and found that the hackers behind it used a technique called “Kerberoasting” to gain access to privileged accounts on Ascension’s Microsoft Active Directory server.

“This hacking technique leverages Microsoft’s continued support by default for an insecure encryption technology from the 1980s called RC4 that federal agencies and cybersecurity experts, including experts working for Microsoft, have for more than a decade warned is dangerous,” wrote, who represents Oregon and monitors tech issues closely. 

“Although Microsoft’s software also supports a secure encryption technology approved and recommended by the U.S. government, known as the Advanced Encryption Standard, this vastly superior encryption technology is not required by default in Windows,” Wyden wrote.

The four-page letter goes on to explain that Microsoft’s use of RC4 encryption technology “needlessly exposes its customers to ransomware and other cyber threats by enabling hackers that have gained access to any computer on a corporate network to crack the passwords of privileged accounts used by administrators.”

When asked about the letter and the claims, a Microsoft spokesperson agreed that RC4 is an old standard that the company discourages customers from using. 

Microsoft claimed the technology makes up less than 0.1% of the company’s traffic but argued that disabling it would “break many customer systems.”

“For this reason, we’re on a path to gradually reduce the extent to which customers can use it, while providing strong warnings against it and advice for using it in the safest ways possible,” the spokesperson said. 

“We have it on our roadmap to ultimately disable its use. We’ve engaged with The Senator’s office on this issue and will continue to listen and answer questions from them or others in government.” 

Microsoft added that it has removed use of another standard similarly problematic to RC4 and said that by the first quarter of 2026, any new installations of Active Directory Domains using Windows Server 2025 will have RC4 disabled by default.

Wyden’s letter said Microsoft believes the threat of Kerberoasting can be mitigated by setting long passwords beyond 14 characters. 

Microsoft allegedly told Wyden that it planned to release a software update that would disable RC4 encryption technology as well as guidance for how security teams can better protect organizations. 

But he slammed Microsoft for instead publishing a “highly technical blog post on an obscure area of the company’s website” that was not publicized. 

“Moreover, Microsoft declined to explicitly warn its customers that they are vulnerable to the Kerberoasting hacking technique unless they change the default settings chosen by Microsoft,” Wyden said. 

His letter notes that multiple U.S. agencies have released their own guidance warning of Kerberoasting and the need to disable RC4 encryption.

He went on to criticize several other Microsoft security failures, including the most recent string of attacks targeting the company’s SharePoint software. Microsoft’s market dominance has allowed it to build a secondary business selling cybersecurity add-on services, Wyden added. 

“At this point, Microsoft has become like an arsonist selling firefighting services to their victims,” he said. 

“And yet government agencies, companies, and nonprofits like Ascension have no choice but to continue to use the company’s software, even after they are hacked, because of Microsoft’s near-monopoly over enterprise IT.”

Traced back to Bing

Wyden said his office was told by Ascension that the ransomware attack was traced back to a web search using Microsoft’s Bing. A contractor clicked on a malicious link and accidentally downloaded malware, allowing the hackers to gain a foothold and eventually escalate their access. 

The hackers then pushed ransomware out to thousands of Ascension computers, according to Wyden. 

The senator noted that Microsoft has a “de facto monopoly over the operating systems used by most companies and government agencies” that allows the company to choose the default settings and security features. 

Most security settings are enabled automatically, Wyen explained, and most organizations do not take the time to adjust them. 

The FTC and Ascension did not respond to requests for comment. 

The attack on Ascension was devastating, forcing the organization’s 140 hospitals across 19 states to operate manually for weeks. 

The sensitive healthcare and financial data of nearly 6 million people was leaked as a result of the attack, and dozens of hospitals had to turn away ambulances and cancel non-emergency appointments.

At the time of the cyberattack, CNN spoke to a nurse at an Ascension hospital in Michigan who said it was “putting patients’ lives in danger.”

Without access to the electronic medical records system, nurses and doctors could not pull up people’s medical history, delaying tasks such as imaging tests for injuries like strokes or heart attacks. Nurses had to use communal Google Docs to write down prescription doses and communicate. 

"We are waiting four hours for head CT (scan) results on somebody having a stroke or a brain bleed," one nurse at Detroit’s Ascension St. John Hospital told the Detroit Free Press. "We are just waiting. I don't know why they haven't at least paused the ambulances and accepting transfers because we physically ... don't have the capacity to care for them right now."

Patients in Texas, Illinois and Tennessee previously filed class action lawsuits against the organization for the leak of sensitive health information during the cyberattack. 

The Black Basta ransomware gang never publicly took credit for the attack but was implicated by several sources.